Access to Patient Records without Authorization
Before the effective data of HIPAA, April 14, 2003 at the earliest, the privacy of medical information was controlled the state and federal laws discussed earlier in this section, which provided relatively limited protections. Research data was protected by the federal regulation called the Common Rule. To a great extent, the Common Rule, and the related FDA regulations on human subjects research, left the questions about access to patient information and protection of that data to IRBs. Authorization to release information, how that information would be used and protected, and whether authorization was needed at all, was considered part of the informed consent process. HIPAA recognized that there would be situations where the its general requirement of specific authorization for the release of PHI would be difficult in some research settings. The most obvious examples were all of the research that was begun before the effective data of HIPAA and was still going on. This included multi- year community studies with datasets going back for decades. Strict application of HIPAA would require getting new authorizations from every study participant.